SSZT202 january 2021 ISO1211 , ISO6741 , ISO7041 , ISO7741 , ISO7841
This article appeared in Planet Analog and has been published here with permission.
Galvanic isolation is common in industrial and automotive systems as a means of protecting against high voltages or to counteract ground potential differences. Designers traditionally used optocouplers for isolation, but in the last few years, digital isolators that use capacitive and magnetic isolation have become more popular. With any such isolators, understanding the importance of their safety-limiting values and how to utilize them is important to system design.
In systems using isolators it may be important to ensure that their insulation remains intact even under fault conditions. To achieve this goal, component standards governing optocouplers (such as IEC 60747-5-5) or capacitive and magnetic isolators (such as VDE 0884-11) specify safety-limiting values. These values specify the isolator’s operating condition boundaries within which the insulation is preserved, even if the functionality is not.
A high-voltage/high-current/high-power fault event on one side of the isolator can damage the circuits on that side. For example, events like short circuits, electrostatic discharge (ESD), and power transistor breakdown can force unintended high voltage and current into the isolator’s pins, damaging LEDs, photodetectors, transmit and receive circuits, and on-chip ESD protection. If there is enough power dissipated in the chip, there could also be significant structural damage to the circuits, such as fused silicone insulation, shorted high-voltage capacitor plates, or melted bond wires. Such structural damage can reduce the isolator’s insulation capability. The TI white paper, “Understanding failure modes in isolators,” discusses the effects of these fault events in more detail.
From the end-system perspective, isolation requirements may need to remain in force even after electrical and thermal stress events have impeded the isolator’s signal-transference operation. This is because damage to the isolation barrier can lead to secondary system failures, or the risk of an electrical hazard. For example, in Figure 3, a digital isolator protects the earthed control and communications module while the rest of the system floats. The effects of any faults in and around the digital isolator that may reduce the isolator’s insulation capability must be considered to avoid the effects of shorting DC- to earth.
The practice of safety limiting is designed to minimize potential damage to the isolation barrier should the isolator’s input or output circuitry fail. Isolator component standards define the safety-limiting values as the maximum input or output current (IS), the maximum input or output power (PS), and the maximum junction temperature (TS) the device can withstand in the event of a fault without compromising its isolation, even if the function of the coupling elements may be destroyed. Device manufacturers must specify these parameters, but it remains up to you to ensure that these values are not exceeded in the event of a fault or a failure so that there is no insulation breakdown.
As an example of manufacturer-supplied safety limits, Figure 4 shows the IS for different supply voltages and PS as a function of ambient temperature for TI’s ISO7741 digital isolator. These values are specified so that the device’s maximum safety junction temperature (TS = 150°C) is not exceeded. Based on these curves, for instance, at an ambient temperature of 100°C up to 600 mW of power may dissipate inside the device without any potential damage to the insulation.
For the first example, Figure 5 shows a digital isolator serving as the interface between an analog-to-digital converter (ADC) or analog front end (AFE) and a microcontroller (MCU). I’ll analyze this system for any one primary fault, including any secondary faults this single fault produces. (Additional circuits may be necessary to protect against multiple primary faults.) This analysis will focus on the MCU side for safety limiting, although you can apply the same principles for the ADC/AFE side as well.
In this example, a 24-V industrial power supply (variable up to 36 V) powers the MCU side (VIN24V). A DC/DC converter bucks this down to 5 V (VDC5V), followed by a low-dropout regulator (LDO) that creates a 3.3-V supply (VDC3P3V) for the MCU and the digital isolator. Current-limiting resistor RSUP is included in the supply path, and resistors ROUT and RIN are included in the input/output (I/O) path.
Let’s examine some faults and their implications on safety limiting.
For the second example, an isolated digital input using the ISO1211 as shown in Figure 6.
The isolated digital inputs receive signals from field sensors and interface them to a host programmable logic controller. The voltage input is nominally 24 V, but with variation can be as high as 36 V. The ISO1211 uses an external RSENSE resistor to provide a precise limit to the current drawn into the SENSE terminal. The external resistor RTHR can adjust the digital input’s voltage threshold. For an 11-V input threshold and a 2-mA current limit, the values of RSENSE and RTHR are 562 Ω and 1 kΩ, respectively (see the ISO1211 data sheet for details).
These two examples demonstrate how to analyze and mitigate different faults in the context of safety-limiting values. Based on the actual application and safety goals, though, you may need to take additional measures.